Java’s SSLEngine's “client authentication” controls if in a TLS negotiation the peer’s certificate chain can be used to identify the peer.

This feature is rarely used for clients, but is used extensively for server-to-server communication. The corresponding SASL authentication mechanism that is used for this is EXTERNAL.

By default, “client authentication” is disabled in Openfire. I assume that this is due to complexities added for clients when this is enabled by default, while hardly any client uses it. In , the S2S client auth settings were made more permissive, allowing “client auth” to occur when the local server has a properly signed certificate installed.

This does not make a lot of sense: “client auth” defines how (if) the local server should handle certificates sent to it by peers. It has no direct connection to the certificate that the local server has configured for itself. It is perfectly reasonable to accept a peer’s certificate (when it can be trusted by a trust anchor in your trust store), even when there’s little chance that the peer will accept your own certificate (as it is self-signed). In Openfire’s S2S implementation, the inbound and outbound connections are completely separate.

Openfire should, by default, allow for “client auth” on inbound S2S connections (even if Openfire itself has been configured to use a self-signed certificate to express its own identity).